Use sample configurations with the administrative console
for testing purposes. The configurations that
you specify are reflected on the cell or server level.
This information describes the sample default bindings, key stores,
key locators, collection certificate store, trust anchors, and trusted
ID evaluators for WebSphere® Application
Server using the API for XML-based RPC (JAX-RPC) programming model.
You can develop web services using the Java API
for XML-based RPC (JAX-RPC) programming model, or for WebSphere Application Server Version 7
and later, using the Java API
for XML-Based Web Services (JAX-WS) programming model. Sample default
bindings, key stores, key locators, collection certificate store,
trust anchors, and trusted ID evaluator may differ depending on which
programming model you use.
Best practice: IBM® WebSphere Application Server supports the Java API for XML-Based Web Services (JAX-WS)
programming model and the Java API
for XML-based RPC (JAX-RPC) programming model. JAX-WS is the next
generation web services programming model extending the foundation
provided by the JAX-RPC programming model. Using the strategic JAX-WS
programming model, development of web services and clients is simplified
through support of a standards-based annotations model. Although
the JAX-RPC programming model and applications are still supported,
take advantage of the easy-to-implement JAX-WS programming model to
develop new web services applications and clients. bprac
Do not use these configurations in a production environment as
they are for sample and testing purposes only. To make modifications
to these sample configurations, it is recommended that you use the
administrative console provided by WebSphere Application
Server.
For a Web Services Security-enabled application,
you must correctly configure a deployment descriptor and a binding.
In WebSphere Application
Server, one set of default bindings is shared by the applications
to make application deployment easier. The default binding information
for the cell level and the server level can be overridden by the binding
information on the application level. The Application Server searches
for binding information for an application on the application level
before searching the server level, and then the cell level.
The following sample configurations are for WebSphere Application Server using the
API for XML-based RPC (JAX-RPC) programming model.
Default generator binding
WebSphere Application Server provides a
sample set of default generator bindings. The default generator bindings
contain both signing information and encryption information.
The
sample signing information configuration is called
gen_signinfo and
contains the following configurations:
- Uses the following algorithms for the gen_signinfo configuration:
- Signature method: http://www.w3.org/2000/09/xmldsig#rsa-sha1
- Canonicalization method: http://www.w3.org/2001/10/xml-exc-c14n#
- References the gen_signkeyinfo signing key information.
The following information pertains to the gen_signkeyinfo configuration:
- Contains a part reference configuration that is called gen_signpart.
The part reference is not used in default binding. The signing information
applies to all of the Integrity or Required Integrity elements within
the deployment descriptors and the information is used for naming
purposes only. The following information pertains to the gen_signpart configuration:
- Uses the transform configuration called transform1.
The following transforms are configured for the default signing information:
- Uses the http://www.w3.org/2001/10/xml-exc-c14n# algorithm
- Uses the http://www.w3.org/2000/09/xmldsig#sha1 digest
method
- Uses the security token reference, which is the configured default
key information.
- Uses the SampleGeneratorSignatureKeyStoreKeyLocator key
locator. For more information on this key locator, see Sample key locators.
- Uses the gen_signtgen token generator, which
contains the following configuration:
- Contains the X.509 token generator, which generates the X.509
token of the signer.
- Contains the gen_signtgen_vtype value type URI.
- Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value
type local name value.
- Uses X.509 Callback Handler. The callback handler calls the ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks key
store.
- The key store password is client.
- The alias name of the trusted certificate is soapca.
- The alias name of the personal certificate is soaprequester.
- The key password client issued by intermediary certificate authority Int
CA2, which is in turn issued by soapca.
The sample encryption information configuration is called
gen_encinfo and
contains the following configurations:
- Uses the following algorithms for the gen_encinfo configuration:
- Data encryption method: http://www.w3.org/2001/04/xmlenc#tripledes-cbc
- Key encryption method: http://www.w3.org/2001/04/xmlenc#rsa-1_5
- References the gen_enckeyinfo encryption key
information. The following information pertains to the gen_enckeyinfo configuration:
- Uses the key identifier as the default key information.
- Contains a reference to the SampleGeneratorEncryptionKeyStoreKeyLocator key
locator. For more information on this key locator, see Sample key locators.
- Uses the gen_signtgen token generator, which
has the following configuration:
- Contains the X.509 token generator, which generates the X.509
token of the signer.
- Contains the gen_enctgen_vtype value type URI.
- Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value
type local name value.
- Uses X.509 Callback Handler. The callback handler calls the ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks key
store.
- The key store password is storepass.
- The secret key CN=Group1 has an alias name of Group1 and
a key password of keypass.
- The public key CN=Bob, O=IBM, C=US has an alias
name of bob and a key password of keypass.
- The private key CN=Alice, O=IBM, C=US has an
alias name of alice and a key password of keypass.
Default consumer binding
WebSphere Application Server provides a
sample set of default consumer binding. The default consumer binding
contain both signing information and encryption information.
The
sample signing information configuration is called
con_signinfo and
contains the following configurations:
- Uses the following algorithms for the con_signinfo configuration:
- Signature method: http://www.w3.org/2000/09/xmldsig#rsa-sha1
- Canonicalization method: http://www.w3.org/2001/10/xml-exc-c14n#
- Uses the con_signkeyinfo signing key information
reference. The following information pertains to the con_signkeyinfo configuration:
- Contains a part reference configuration that is called con_signpart.
The part reference is not used in default binding. The signing information
applies to all of the Integrity or RequiredIntegrity elements within
the deployment descriptors and the information is used for naming
purposes only. The following information pertains to the con_signpart configuration:
- Uses the transform configuration called reqint_body_transform1.
The following transforms are configured for the default signing information:
- Uses the http://www.w3.org/2001/10/xml-exc-c14n# algorithm.
- Uses the http://www.w3.org/2000/09/xmldsig#sha1 digest
method.
- Uses the security token reference, which is the configured default
key information.
- Uses the SampleX509TokenKeyLocator key locator.
For more information on this key locator, see Sample key locators.
- References the con_signtcon token consumer configuration.
The following information pertains to the con_signtcon configuration:
- Uses the X.509 Token Consumer, which is configured as the consumer
for the default signing information.
- Contains the signtconsumer_vtype value type URI.
- Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value
type local name value.
- Contains a JAAS configuration called system.wssecurity.X509BST that
references the following information:
- Trust anchor: SampleClientTrustAnchor
- Collection certificate store: SampleCollectionCertStore
The encryption information configuration is called
con_encinfo and
contains the following configurations:
- Uses the following algorithms for the con_encinfo configuration:
- Data encryption method: http://www.w3.org/2001/04/xmlenc#tripledes-cbc
- Key encryption method: http://www.w3.org/2001/04/xmlenc#rsa-1_5
- References the con_enckeyinfo encryption key
information. This key actually decrypts the message. The following
information pertains to the con_enckeyinfo configuration:
- Uses the key identifier, which is configured as the key information
for the default encryption information.
- Contains a reference to the SampleConsumerEncryptionKeyStoreKeyLocator key
locator. For more information on this key locator, see Sample key locators.
- References the con_enctcon token consumer configuration.
The following information pertains to the con_enctcon configuration:
- Uses the X.509 token consumer, which is configured for the default
encryption information.
- Contains the enctconsumer_vtype value type URI.
- Contains the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 value
type local name value.
- Contains a JAAS configuration called system.wssecurity.X509BST.
Sample
key store configurations
WebSphere Application Server provides the
following key stores. You can work with these key stores outside of
the Application Server by using the iKeyman utility or the key tool.
- The iKeyman utility is located in the following directory: app_server_root/bin/ikeyman
- The key tool is located in the following directory: app_server_root/java/jre/bin/keytool
WebSphere Application
Server provides the following key stores. You can work with these
key stores outside of the Application Server by using the iKeyman
utility or the key tool.
- The iKeyman utility is located in the following directory: app_server_root\bin\ikeyman.sh
- The key tool is located in the following directory: app_server_root\java\jre\bin\keytool.sh
The following sample key stores are for testing purposes
only; do not use these key stores in a production environment:
- ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks
- The key store format is JKS.
- The key store password is client.
- The trusted certificate has a soapca alias name.
- The personal certificate has a soaprequester alias
name and a client key password that is issued by
the Int CA2 intermediary certificate authority, which
is, in turn, issued by soapca.
- ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-receiver.ks
- The key store format is JKS.
- The key store password is server.
- The trusted certificate has a soapca alias name.
- The personal certificate has a soapprovider alias
name and a server key password that is issued by
the Int CA2 intermediary certificate authority, which
is, in turn, issued by soapca.
- ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks
- The key store format is JCEKS.
- The key store password is storepass.
- The CN=Group1 DES secret key has a Group1 alias
name and a keypass key password.
- The CN=Bob, O=IBM, C=US public key has a bob alias
name and a keypass key password.
- The CN=Alice, O=IBM, C=US private key has a alice alias
name and a keypass key password.
- ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks
- The key store format is JCEKS.
- The key store password is storepass.
- The CN=Group1 DES secret key has a Group1 alias
name and a keypass key password.
- The CN=Bob, O=IBM, C=US private key has a bob alias
name and a keypass key password.
- The CN=Alice, O=IBM, C=US public key has a alice alias
name and a keypass key password.
- ${USER_INSTALL_ROOT}/etc/ws-security/samples/intca2.cer
- The intermediary certificate is signed by soapca and
it signs both the soaprequester and the soapprovider.
Sample
key locators
Key locators are used to locate the key for
digital signature, encryption, and decryption. For information on
how to modify these sample key locator configurations, see the following
articles:
- SampleClientSignerKey
- This key locator is used by the request sender for a Version 5.x
application to sign the SOAP message. The signing key name is clientsignerkey,
which is referenced in the signing information as the signing key
name.
- SampleServerSignerKey
- This key locator is used by the response sender for a Version
5.x application to sign the SOAP message. The signing key name is serversignerkey,
which can be referenced in the signing information as the signing
key name.
- SampleSenderEncryptionKeyLocator
- This key locator is used by the sender for a Version 5.x application
to encrypt the SOAP message. It is configured to use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks key
store and the com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator key
store key locator. The implementation is configured for the DES secret
key. To use asymmetric encryption (RSA), you must add the appropriate
RSA keys.
- SampleReceiverEncryptionKeyLocator
- This key locator is used by the receiver for a Version 5.x application
to decrypt the encrypted SOAP message. The implementation is configured
to use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks key
store and the com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator key
store key locator. The implementation is configured for symmetric
encryption (DES or TRIPLEDES). To use RSA, you must add the private
key CN=Bob, O=IBM, C=US, alias name bob,
and key password keypass.
- SampleResponseSenderEncryptionKeyLocator
- This key locator is used by the response sender for a Version
5.x application to encrypt the SOAP response message. It is configured
to use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks key
store and the com.ibm.wsspi.wssecurity.config.WSIdKeyStoreMapKeyLocator key
store key locator. This key locator maps an authenticated identity
(of the current thread) to a public key for encryption. By default, WebSphere Application Server
is configured to map to public key alice, and you
must change WebSphere Application
Server to the appropriate user. The SampleResponseSenderEncryptionKeyLocator key
locator also can set a default key for encryption. By default, this
key locator is configured to use public key alice.
- SampleGeneratorSignatureKeyStoreKeyLocator
- This key locator is used by generator to sign the SOAP message.
The signing key name is SOAPRequester, which is referenced
in the signing information as the signing key name. It is configured
to use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks key
store and the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator key
store key locator.
- SampleConsumerSignatureKeyStoreKeyLocator
- This key locator is used by the consumer to verify the digital
signature in the SOAP message. The signing key is SOAPProvider,
which is referenced in the signing information. It is configured to
use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-receiver.ks key
store and the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator key
store key locator.
- SampleGeneratorEncryptionKeyStoreKeyLocator
- This key locator is used by the generator to encrypt the SOAP
message. It is configured to use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-sender.jceks key
store and the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator key
store key locator.
- SampleConsumerEncryptionKeyStoreKeyLocator
- This key locator is used by the consumer to decrypt an encrypted
SOAP message. It is configured to use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks key
store and the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator key
store key locator.
- SampleX509TokenKeyLocator
- This key locator is used by the consumer to verify a digital certificate
in an X.509 certificate. It is configured to use the ${USER_INSTALL_ROOT}/etc/ws-security/samples/enc-receiver.jceks key
store and the com.ibm.wsspi.wssecurity.keyinfo.KeyStoreKeyLocator key
store key locator.
Sample collection
certificate store
Collection certificate stores are used
to validate the certificate path. For information on how to modify
this sample collection certificate store, see the following articles:
- SampleCollectionCertStore
- This collection certificate store is used by the response consumer
and the request generator to validate the signer certificate path.
Sample
trust anchors
Trust anchors are used to validate the trust
of the signer certificate. For information on how to modify the sample
trust anchor configurations, see the following articles:
- SampleClientTrustAnchor
- This trust anchor is used by the response consumer to validate
the signer certificate. This trust anchor is configure to access the ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks key
store.
- SampleServerTrustAnchor
- This trust anchor is used by the request consumer to validate
the signer certificate. This trust anchor is configure to access the ${USER_INSTALL_ROOT}/etc/ws-security/samples/dsig-sender.ks key
store.
Sample trusted ID
evaluators
Trusted ID evaluators are used to establish trust
before asserting the identity in identity assertion. For information
on how to modify the sample trusted ID evaluator configuration, see
Configuring trusted ID evaluators on the server or cell level.
- SampleTrustedIDEvaluator
- This trusted ID evaluator uses the com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorImpl
implementation. The default implementation of com.ibm.wsspi.wssecurity.id.TrustedIDEvaluator
contains a list of trusted identities. This list, which is used for
identity assertion, defines the key name and value pair for the trusted
identity. The key name is in the form trustedId_* and the value is
the trusted identity. For more information, see the example in Configuring trusted ID evaluators on the server or cell level.
Complete
the following steps to define this information for the cell level
in the administrative console:
- Click Security > Web services.
- Under Additional properties, click Trusted ID evaluators > SampleTrustedIDEvaluator.